CRA
Cybersecurity of networked devices
The Cyber Resilience Act (CRA) adopted by the Council of EU Home Affairs Ministers in 2024 will impose new minimum requirements on manufacturers of networked devices in terms of cybersecurity.
The Cyber Resilience Act (CRA) sets out binding requirements for the cyber security of networked devices placed on the market within the EU with the aim of creating a uniform security standard for digital hardware and software products on the European market.
The European Union's Cyber Resilience Act aims to improve the cyber security of products with digital elements. Manufacturers, importers and distributors of such products that are placed on the market in the EU are affected. This includes a wide range of products, from IoT devices to software applications that are connected to the internet or have digital functions.
The Act sets out cybersecurity requirements that these products must fulfil before they can be sold in the EU. These include security measures that must be maintained throughout the entire life cycle of the product, as well as the obligation to disclose security vulnerabilities and provide security updates.
Companies that manufacture, import or distribute such products must ensure that their products comply with the standards set out in the Cyber Resilience Act in order to avoid legal and financial consequences.
However, only a few types of products are exempt from the CRA. These include, for example, non-commercial open source software products.
The "default category" includes products with digital components that have a low cyber risk. These include consumer products such as games, software and devices for image processing.
The "Important products I" category includes products that contain a security function that in turn affects other products. These include, for example, browsers, microcontrollers, microprocessors, password managers, operating systems, smart homes and virtual assistants.
The category of "Important Products Class II" includes products with digital components that fulfil a function that poses a significant risk. This risk can damage a large number of these products or disrupt the health and safety of users through manipulation. These products include, for example, firewalls, systems for attack detection and prevention, tamper-proof microcontrollers and processors.
The category of "critical products" includes products that represent a critical dependency for companies affected by NIS-2 (Article 3 of Directive (EU) 2022/2555). These are products that could lead to serious interruptions or disruptions in services or supply chains if they malfunction. These include, for example, smart cards and SEs, smart meter gateways, hardware devices with security boxes
The CRA contains new minimum requirements for the safety of connected devices. In future, all connected products that are placed on the market within the EU must bear the CE mark. This visibly proves to the outside world that the labelled product fulfils the requirements of the CRA.
The CRA was adopted by the Council of EU Home Affairs Ministers on 10 October 2024 and published in the Official Journal of the European Union on 20 November 2024 as Regulation (EU) 2024/2847.